TLS: unable to get certificate ...

Goetz Babin-Ebell goetz at shomitefo.de
Sun Apr 13 17:19:51 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wesley Craig schrieb:
|  From the article:
|> I’ve *finally* discovered why my IMAP server no longer likes my
|> self-signed certificates. The certificates are just fine. Cyrus is
|> just fine. It’s OpenSSL that’s the problem - Bug 1513 to be exact.
|
|> Cyrus calls SSL_CTX_use_certificate_chain_file() to read in the
|> certificate file, but in my case, since I don’t have CA data set,
|> an earlier function returns an error, so the
|> SSL_CTX_use_certificate_chain_file() function also returns an
|> error, even though the certificate and key are just fine.
|
| What does that buy you?  Why not set the cert as the CA, since that
| is the meaning of "self-signed certificate"?

The other way around:
You gain nothing by setting the self signed server cert as CA.

As long as you don't do client authentication, you have to provide
all intermediate CA certificate up to but NOT including the root
certificate and you do that by including them in the server cert file.

All the CA certificates you provide are only to allow the client
to follow the certificate chain up to a trusted certificate that
_is_already_available_to_the_client_.

So either the client already has the root and marked as a trustworthy
one, (this way allowing the client to automatically accept the server
certificate as signed by a trusted cert)
or the client does not.
In that case the clients software must ask the user if
the server certificate may be accepted.

Sending the root cert is only a waste of bandwidth...

There are four use cases:
* server cert signed by root cert, no client cert authentication.
~  This includes self signed server cert:
~  You put the server cert into tls_cert_file.
* server cert signed by intermediate CA cert(s), signed by root,
~  no client cert authentication:
~  You put the server cert (and the intermediate cert(s))
~  into tls_cert_file.
* server cert signed by root cert, with client cert authentication:
~  You put the server cert into tls_cert_file and the CA certs
~  you intend to accept client certificates from into tls_ca_file.
~  You can put intermediate CA certificates for client authentication
~  into the directory pointed by tls_ca_path.
~  (Additionally you can put CRLs into this directory.)
* server cert signed by intermediate CA cert(s), signed by root,
~  with client authentication:
~  You put the server cert (and the intermediate cert(s))
~  into tls_cert_file and the CA certs you intend to accept client
~  certificates from into tls_ca_file.
~  You can put intermediate CA certificates for client authentication
~  into the directory pointed by tls_ca_path.
~  (Additionally you can put CRLs into this directory.)


Cyrus barfing on no CA data set with no client authentication is a bug.


Goetz

- --
DMCA: The greed of the few outweights the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIAnj32iGqZUF3qPYRAnqIAJ9yvzBUj6LM/Vug3qGSSoJvWtgkhgCfflT2
CK0L3viMUjiPmXlarAQoKLU=
=DH/i
-----END PGP SIGNATURE-----

More information about the Info-cyrus mailing list